Authentication Security Module
A set of APIs to provide additional security checks during authentication |
Type | JAR |
Category | |
Developed by | XWiki Development Team |
Rating | |
License | GNU General Public License 1 |
Bundled With | XWiki Standard |
Compatibility | Since 11.6RC1 |
Table of contents
Description
This module provides API to enable new checks during the authentication.
Default implementation of the module provide the ability to triggers security checks when a user failed to authenticate multiple times in a given time window.
Configuration
The configuration of a the module allows to setup three information:
- the authentication failure strategies (default is CAPTCHA)
- the maximum number of failing login attempts authorized before activating a strategy (default is 3)
- the time window during which those attempts should occur (default is 5 minutes)
Setting no strategy or 0 to the maximum number of attempts, or to the time window will disable the feature.
This configuration is available in the Administration > Authentication page by default.
Authentication Failure Manager
This component is responsible to record the authentication failures, and to trigger the strategies based on the given configuration.
Authentication Failure Strategies
Two strategies are currently implemented and available.
CAPTCHA
This is the default strategy. When a user reached the limit number of authentication attempts, a CAPTCHA is displayed in the login page, and the user have to solve it in order to be login.
Disable Account
This strategy will automatically disable the user account in case of repeated authentication failure. In that case he needs to contact an administrator of the wiki to enable it back.
Events
Two new events are provided:
- AuthenticationFailureEvent which is triggered whenever a user fails his authentication
- AuthenticationFailureLimitReachedEvent which is triggered when the authentication failure manager detected that a user reached the limit of authentication failures.